Filter
Top Products
24-56
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Security Policy The access control list policy object defined for the security
association. Click Select to choose from a list of predefined ACL
objects or to create a new one. For a detailed explanation of the contents
of this object and how it relates to the group member security policy,
see Understanding the GET VPN Security Policy and Security
Associations, page 28-10.
Note If you are using multicast as the method to distribute the keys,
then the ACL policy object must contain a deny rule (ACE) for
the multicast address. In this way, the rekey packets sent using
multicast will not be encrypted by the TEK. This statement
allows the group members to receive rekey packets sent using
the multicast protocol.
Enable Anti-Replay Whether to enable the anti-replay feature, which helps prevent
eavesdroppers from inserting packets into the data stream. You can
configure anti-replay based on traffic counters or time:
• Counter Window Size—Although this is the default, it is not
recommended. Counter-based anti-replay is useful only if there are
two group members (essentially a point-to-point VPN). Select a
window size.
• Time Window Size—This is the preferred method, but it requires
that there are more than two group members. Enter the number of
seconds of the interval duration of the Synchronous Anti-Replay
(SAR) clock. The value range is 1 through 100. The default value
is 100. For more information on time-based anti-replay, see
Understanding Time-Based Anti-Replay, page 28-11.
Note If you are encrypting high packet rates for count-based
anti-replay, ensure that you do not make the KEK or TEK
lifetime too long or it can take several hours for the sequence
number to wrap. For example, if the packet rate is 100
kilopackets per second, the lifetime should be configured as
less than 11.93 hours so that the SA is used before the sequence
number wraps.
Table 24-13 Add New Security Association Dialog Box (Continued)
Element Description